MS patch release underlines increased internet security risks

Yesterday Microsoft released four security bulletins that covered a total of eight vulnerabilities. All four of the bulletins were rated critical by Microsoft.

While all bulletins were critical, McAfee deemed those addressing vulnerabilities in the Microsoft Graphics Device Interface (GDI+), a Windows component used to process image files, and Windows Media Player 11 the most urgent. The vulnerabilities addressed by these updates
(MS08-052 and MS08-054, respectively) could be exploited if a user viewed a rigged image or streamed a malicious media file from the Web.

'The bulk of the vulnerabilities addressed by Microsoft's fixes yesterday could be exploited if a Windows user simply visits a malicious Web site,' said Dave Marcus, security research and communications director at McAfee Avert Labs. 'Criminals are increasingly using the Web to deliver malicious software. In such drive-by downloads an attacker places malware onto a vulnerable computer without the user noticing it. Microsoft's patches again underline the risk of surfing the Web unprotected.'

All of the vulnerabilities addressed by Microsoft yesterday could allow attackers to take complete control over a computer running the vulnerable software. The image handling vulnerabilities in particular are likely to be exploited in cyberattacks.

'Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows and vulnerabilities in the component have been exploited broadly in the past. We can expect that security researchers will be looking to reverse engineer yesterday's patches, which may very well lead to many more exploits being created,' said Marcus.

McAfee recommends that home users install Microsoft's patches as soon as possible. Home users should use Windows Automatic Updates.